1.5 KiB
| layout | page_title | sidebar_current |
|---|---|---|
| docs | Encryption | docs-agent-encryption |
Encryption
The Consul agent supports encrypting all of its network traffic. The exact method of this encryption is described on the encryption internals page.
Enabling Encryption
Enabling encryption only requires that you set an encryption key when
starting the Consul agent. The key can be set using the -encrypt flag
on consul agent or by setting the encrypt_key in a configuration file.
It is advisable to put the key in a configuration file to avoid other users
from being able to discover it by inspecting running processes.
The key must be 16-bytes that are base64 encoded. The easiest method to
obtain a cryptographically suitable key is by using consul keygen.
$ consul keygen
cg8StVXbQJ0gPvMd9o7yrg==
With that key, you can enable encryption on the agent. You can verify encryption is enabled because the output will include "Encrypted: true".
$ consul agent -data=/tmp/consul -encrypt=cg8StVXbQJ0gPvMd9o7yrg==
==> Starting Consul agent...
==> Starting Consul agent RPC...
==> Consul agent running!
Node name: 'Armons-MacBook-Air.local'
Datacenter: 'dc1'
Advertise addr: '10.1.10.12'
RPC addr: '127.0.0.1:8400'
HTTP addr: '127.0.0.1:8500'
DNS addr: '127.0.0.1:8600'
Encrypted: true
Server: false (bootstrap: false)
...
All nodes within a Consul cluster must share the same encryption key in order to send and receive cluster information.